usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Merge branch 'usnistgov:main' into main

Browse Source
This commit is contained in:
Dan Brodjieski
2025-12-23 10:09:00 -05:00
committed by GitHub
parent b0fed4810b 16352aef1f
commit e98d16aec6
43 changed files with 436 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
CHANGELOG.md
View File

@@ -2,6 +2,58 @@
This document provides a high-level view of the changes to the macOS Security Compliance Project.
## [Tahoe, Revision 2.0] 2025-12-18
* Rules
* Added Rules
* os_loginwindow_adminhostinfo_disabled
* os_safari_clear_history_disable
* os_safari_private_browsing_disable
* os_skip_apple_intelligence_enable
* system_settings_download_software_update_enforce
* system_settings_security_update_install
* Modified Rules
* audit_auditd_enabled
* os_icloud_storage_prompt_disable
* os_privacy_setup_prompt_disable
* os_recovery_lock_enable
* os_secure_boot_verify
* os_siri_prompt_disable
* os_skip_screen_time_prompt_enable
* os_skip_unlock_with_watch_enable
* os_time_server_enabled
* os_touchid_prompt_disable
* os_unlock_active_user_session_disable
* pwpolicy_account_lockout_enforce
* pwpolicy_account_lockout_timeout_enforce
* pwpolicy_history_enforce
* pwpolicy_lower_case_character_enforce
* pwpolicy_upper_case_character_enforce
* pwpolicy_special_character_enforce
* pwpolicy_minimum_length_enforce
* pwpolicy_minimum_lifetime_enforce
* pwpolicy_max_lifetime_enforce
* system_settings_location_services_enable
* system_settings_location_services_disable
* system_settings_screen_sharing_disable
* system_settings_ssh_disable
* system_settings_bluetooth_sharing_disable
* system_settings_hot_corners_secure
* system_settings_time_machine_encrypted_configure
* Removed Rules
* system_settings_software_update_enforce
* Bug Fixes
* Baselines
* Added STIG - Ver 1, Rel 1
* Modified existing baselines
* Scripts
* generate_guidance
* Bug fixes related to consolidated configuration profile generation
* Improved handling of Declarative Device Management (DDM) nested keys
* Compliance script stability improvements
* generate_scap
* Minor fixes to SCAP/XCCDF output generation
## [Tahoe, Revision 1.0] - 2025-09-11
* Rules

2
README.md
View File

@@ -36,7 +36,7 @@ Civilian agencies are to use the National Checklist Program as required by [NIST
|John Mahlman IV|Leidos
|Aaron Kegerreis|DISA
|Henry Stamerjohann|Declarative IT GmbH
|Marco A Piñeryo II|State Department
|Marco A Piñeyro II|State Department
|Jason Blake|NIST
|Blair Heiserman|NIST
|Joshua Glemza|NASA

4
VERSION.yaml
View File

@@ -1,5 +1,5 @@
os: "26.0"
platform: macOS
version: "Tahoe Guidance, Revision 1.0"
version: "Tahoe Guidance, Revision 2.0"
cpe: o:apple:macos:26.0
date: "2025-09-11"
date: "2025-12-18"

1
baselines/800-171.yaml
View File

@@ -168,6 +168,7 @@ profile:
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_smbd_disable
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_system_wide_preferences_configure

1
baselines/800-53r5_high.yaml
View File

@@ -189,6 +189,7 @@ profile:
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_system_wide_preferences_configure

1
baselines/800-53r5_low.yaml
View File

@@ -156,6 +156,7 @@ profile:
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_time_server_configure

1
baselines/800-53r5_moderate.yaml
View File

@@ -186,6 +186,7 @@ profile:
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_system_wide_preferences_configure

195
baselines/DISA-STIG.yaml Normal file
View File

@@ -0,0 +1,195 @@
title: "macOS 26.0: Security Configuration - Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1"
description: |
This guide describes the actions to take when securing a macOS 26.0 system against the Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1 security baseline.
authors: |
*macOS Security Compliance Project*
|===
|Dan Brodjieski|National Aeronautics and Space Administration
|Allen Golbig|Jamf
|Bob Gendler|National Institute of Standards and Technology
|Aaron Kegerreis|Defense Information Systems Agency
|===
parent_values: "stig"
profile:
- section: "auditing"
rules:
- audit_acls_files_configure
- audit_acls_folders_configure
- audit_auditd_enabled
- audit_configure_capacity_notify
- audit_control_acls_configure
- audit_control_group_configure
- audit_control_mode_configure
- audit_control_owner_configure
- audit_files_group_configure
- audit_files_mode_configure
- audit_files_owner_configure
- audit_flags_aa_configure
- audit_flags_ad_configure
- audit_flags_ex_configure
- audit_flags_fd_configure
- audit_flags_fm_configure
- audit_flags_fr_configure
- audit_flags_fw_configure
- audit_flags_lo_configure
- audit_folder_group_configure
- audit_folder_owner_configure
- audit_folders_mode_configure
- audit_retention_configure
- audit_settings_failure_notify
- section: "authentication"
rules:
- auth_pam_login_smartcard_enforce
- auth_pam_su_smartcard_enforce
- auth_pam_sudo_smartcard_enforce
- auth_smartcard_allow
- auth_smartcard_certificate_trust_enforce_moderate
- auth_smartcard_enforce
- auth_ssh_password_authentication_disable
- section: "icloud"
rules:
- icloud_addressbook_disable
- icloud_bookmarks_disable
- icloud_calendar_disable
- icloud_drive_disable
- icloud_freeform_disable
- icloud_game_center_disable
- icloud_keychain_disable
- icloud_mail_disable
- icloud_notes_disable
- icloud_photos_disable
- icloud_private_relay_disable
- icloud_reminders_disable
- icloud_sync_disable
- section: "macos"
rules:
- os_account_modification_disable
- os_airdrop_disable
- os_appleid_prompt_disable
- os_asl_log_files_owner_group_configure
- os_asl_log_files_permissions_configure
- os_authenticated_root_enable
- os_bonjour_disable
- os_camera_disable
- os_certificate_authority_trust
- os_config_data_install_enforce
- os_dictation_disable
- os_erase_content_and_settings_disable
- os_facetime_app_disable
- os_filevault_autologin_disable
- os_gatekeeper_enable
- os_genmoji_disable
- os_handoff_disable
- os_home_folders_secure
- os_httpd_disable
- os_icloud_storage_prompt_disable
- os_image_playground_disable
- os_install_log_retention_configure
- os_iphone_mirroring_disable
- os_loginwindow_adminhostinfo_disabled
- os_mdm_require
- os_newsyslog_files_owner_group_configure
- os_newsyslog_files_permissions_configure
- os_nfsd_disable
- os_on_device_dictation_enforce
- os_password_hint_remove
- os_password_proximity_disable
- os_policy_banner_loginwindow_enforce
- os_policy_banner_ssh_configure
- os_policy_banner_ssh_enforce
- os_privacy_setup_prompt_disable
- os_recovery_lock_enable
- os_root_disable
- os_secure_boot_verify
- os_sip_enable
- os_siri_prompt_disable
- os_skip_apple_intelligence_enable
- os_skip_screen_time_prompt_enable
- os_skip_unlock_with_watch_enable
- os_ssh_fips_compliant
- os_ssh_server_alive_count_max_configure
- os_ssh_server_alive_interval_configure
- os_sshd_channel_timeout_configure
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_compliant
- os_sshd_login_grace_time_configure
- os_sshd_permit_root_login_configure
- os_sshd_unused_connection_timeout_configure
- os_sudo_log_enforce
- os_sudo_timeout_configure
- os_sudoers_timestamp_type_configure
- os_tftpd_disable
- os_time_server_enabled
- os_touchid_prompt_disable
- os_unlock_active_user_session_disable
- os_user_app_installation_prohibit
- os_uucp_disable
- os_writing_tools_disable
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
- pwpolicy_account_lockout_enforce
- pwpolicy_account_lockout_timeout_enforce
- pwpolicy_alpha_numeric_enforce
- pwpolicy_custom_regex_enforce
- pwpolicy_max_lifetime_enforce
- pwpolicy_minimum_length_enforce
- pwpolicy_minimum_lifetime_enforce
- pwpolicy_special_character_enforce
- pwpolicy_temporary_or_emergency_accounts_disable
- section: "systemsettings"
rules:
- system_settings_airplay_receiver_disable
- system_settings_apple_watch_unlock_disable
- system_settings_automatic_login_disable
- system_settings_automatic_logout_enforce
- system_settings_bluetooth_disable
- system_settings_bluetooth_settings_disable
- system_settings_bluetooth_sharing_disable
- system_settings_content_caching_disable
- system_settings_diagnostics_reports_disable
- system_settings_filevault_enforce
- system_settings_find_my_disable
- system_settings_firewall_enable
- system_settings_gatekeeper_identified_developers_allowed
- system_settings_guest_account_disable
- system_settings_hot_corners_disable
- system_settings_improve_assistive_voice_disable
- system_settings_improve_search_disable
- system_settings_improve_siri_dictation_disable
- system_settings_internet_sharing_disable
- system_settings_location_services_disable
- system_settings_loginwindow_prompt_username_password_enforce
- system_settings_media_sharing_disabled
- system_settings_password_hints_disable
- system_settings_personalized_advertising_disable
- system_settings_printer_sharing_disable
- system_settings_rae_disable
- system_settings_remote_management_disable
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_softwareupdate_current
- system_settings_system_wide_preferences_configure
- system_settings_time_server_configure
- system_settings_time_server_enforce
- system_settings_token_removal_enforce
- system_settings_touchid_unlock_disable
- system_settings_usb_restricted_mode
- system_settings_wallet_applepay_settings_disable
- section: "Inherent"
rules:
- os_supported_operating_system
- section: "Supplemental"
rules:
- supplemental_controls
- supplemental_filevault
- supplemental_firewall_pf
- supplemental_password_policy
- supplemental_smartcard

1
baselines/all_rules.yaml
View File

@@ -317,6 +317,7 @@ profile:
- os_secure_enclave
- os_separate_functionality
- os_store_encrypted_passwords
- os_supported_operating_system
- os_terminate_session
- os_unique_identification
- os_verify_remote_disconnection

5
baselines/cis_lvl1.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT"
title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1)"
description: |
This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) security baseline.
authors: |
*macOS Security Compliance Project*
@@ -101,6 +101,7 @@ profile:
- system_settings_remote_management_disable
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_smbd_disable

5
baselines/cis_lvl2.yaml
View File

@@ -1,6 +1,6 @@
title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT"
title: "macOS 26.0: Security Configuration - CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2)"
description: |
This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT security baseline.
This guide describes the actions to take when securing a macOS 26.0 system against the CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) security baseline.
authors: |
*macOS Security Compliance Project*
@@ -123,6 +123,7 @@ profile:
- system_settings_remote_management_disable
- system_settings_screen_sharing_disable
- system_settings_screensaver_ask_for_password_delay_enforce
- system_settings_screensaver_password_enforce
- system_settings_screensaver_timeout_enforce
- system_settings_siri_disable
- system_settings_smbd_disable

1
baselines/cmmc_lvl1.yaml
View File

@@ -99,6 +99,7 @@ profile:
- system_settings_security_update_install
- system_settings_siri_disable
- system_settings_smbd_disable
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_system_wide_preferences_configure

1
baselines/cmmc_lvl2.yaml
View File

@@ -205,6 +205,7 @@ profile:
- system_settings_siri_disable
- system_settings_siri_settings_disable
- system_settings_smbd_disable
- system_settings_softwareupdate_current
- system_settings_ssh_disable
- system_settings_ssh_enable
- system_settings_system_wide_preferences_configure

6
includes/mscp-data.yaml
View File

@@ -83,15 +83,15 @@ titles:
800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
800-171: NIST 800-171 Rev 3
cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1) - DRAFT
cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2) - DRAFT
cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1)
cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2)
cmmc_lvl1: US CMMC 2.0 Level 1
cmmc_lvl2: US CMMC 2.0 Level 2
cisv8: CIS Controls Version 8
cnssi-1253_low: Committee on National Security Systems Instruction No. 1253 (Low)
cnssi-1253_moderate: Committee on National Security Systems Instruction No. 1253 (Moderate)
cnssi-1253_high: Committee on National Security Systems Instruction No. 1253 (High)
stig: Apple macOS 15 (Sequoia) STIG - Ver 1, Rel 4
stig: Apple macOS 26 (Tahoe) STIG - Ver 1, Rel 1
ddm:
supported_types:
- com.apple.configuration.services.configuration-files

3
rules/audit/audit_failure_halt.yaml
View File

@@ -25,7 +25,7 @@ references:
srg:
- SRG-OS-000047-GPOS-00023
disa_stig:
- APPL-26-001010
- N/A
800-171r3:
- 03.03.04
cmmc:
@@ -43,7 +43,6 @@ tags:
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
- cnssi-1253_moderate
severity: medium
mobileconfig: false

2
rules/os/os_external_storage_access_defined.yaml
View File

@@ -3,7 +3,7 @@ title: Access to External Storage Must Be Defined
discussion: |-
Access to external storage _MUST_ be managed.
NOTE: Apple's built in method using declative device management method only allows you to set external storage manament to Allowed, ReadOnly, and Disallowed.
NOTE: Apple's built in method using declarative device management method only allows you to set external storage management to Allowed, ReadOnly, and Disallowed.
check: |
/usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq --raw-output '.Restrictions.ExternalStorage'
result:

5
rules/os/os_firmware_password_require.yaml
View File

@@ -20,7 +20,7 @@ check: |
result:
integer: 1
fix: |
NOTE: See discussion on remediation and how to enable firmware password.
NOTE: See discussion on how to enable firmware password.
references:
cce:
- CCE-95194-7
@@ -33,7 +33,7 @@ references:
srg:
- SRG-OS-000480-GPOS-00227
disa_stig:
- APPL-26-003013
- N/A
800-171r3:
- 03.01.05
cmmc:
@@ -52,7 +52,6 @@ tags:
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
- cnssi-1253_moderate
severity: medium
mobileconfig: false

2
rules/os/os_implement_cryptography.yaml
View File

@@ -5,7 +5,7 @@ discussion: |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government.
Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicion will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation.
Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicon will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation.
link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[]

2
rules/os/os_iphone_mirroring_disable.yaml
View File

@@ -10,7 +10,7 @@ check: |
result:
string: 'false'
fix: |
This is implemented by a Configuration Profile
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95212-7

2
rules/os/os_network_storage_restriction.yaml
View File

@@ -3,7 +3,7 @@ title: Network Storage Must Be Restricted
discussion: |-
Network Storage _MUST_ be restricted.
NOTE: Apple's built in method using declative device management method only allows you to set network storage manament to Allowed, ReadOnly, and Disallowed.
NOTE: Apple's built in method using declarative device management method only allows you to set network storage management to Allowed, ReadOnly, and Disallowed.
check: |
/usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq --raw-output '.Restrictions.NetworkStorage'
result:

2
rules/os/os_on_device_dictation_enforce.yaml
View File

@@ -4,6 +4,8 @@ discussion: |
Dictation _MUST_ be restricted to on device only to prevent potential data exfiltration.
The information system _MUST_ be configured to provide only essential capabilities.
IMPORTANT: This rule only applies to Apple Silicon devices.
check: |
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\

2
rules/os/os_photos_enhanced_search_disable.yaml
View File

@@ -1,7 +1,7 @@
id: os_photos_enhanced_search_disable
title: Disable Photos Enhanced Visual Search
discussion: |-
Enhanced Visualed Search _MUST_ be disabled in the Photos app.
Enhanced Visual Search _MUST_ be disabled in the Photos app.
The information system _MUST_ be configured to provide only essential capabilities. Disabling Enhanced Visual Search will mitigate the risk of unwanted data being sent to Apple.
check: |

2
rules/os/os_required_crypto_module.yaml
View File

@@ -5,7 +5,7 @@ discussion: |
macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules.
Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicion will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation.
Apple is committed to the FIPS validation process and historically has always submitted and validated the cryptographic modules in macOS. macOS Tahoe for Apple Silicon will be submitted for FIPS validation. macOS Tahoe for Intel based processors will _NOT_ be submitted for FIPS validation.
link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[]

4
rules/os/os_safari_clear_history_disable.yaml
View File

@@ -1,5 +1,5 @@
id: os_safari_clear_history_disable
title: Ensure Clearning of Browsing History in Safari Is Disabled
title: Ensure Clearing of Browsing History in Safari Is Disabled
discussion: |
Clearing of browser history _MUST_ be disabled in Safari.
check: |
@@ -36,4 +36,4 @@ tags:
mobileconfig: true
mobileconfig_info:
com.apple.applicationaccess:
allowSafariHistoryClearing: false
allowSafariHistoryClearing: false

2
rules/os/os_sip_enable.yaml
View File

@@ -15,7 +15,7 @@ fix: |
----
/usr/bin/csrutil enable
----
NOTE: To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
NOTE: To re-enable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
references:
cce:
- CCE-95298-6

7
rules/os/os_skip_apple_intelligence_enable.yaml
View File

@@ -15,7 +15,7 @@ references:
cce:
- CCE-95603-7
cci:
- N/A
- CCI-000381
800-53r5:
- AC-4
- AC-20
@@ -23,9 +23,9 @@ references:
800-53r4:
- AC-20
srg:
- N/A
- SRG-OS-000095-GPOS-000049
disa_stig:
- N/A
- APPL-26-005170
800-171r3:
- 03.01.20
- 03.04.06
@@ -49,6 +49,7 @@ tags:
- cmmc_lvl2
- cmmc_lvl1
- cnssi-1253_moderate
- stig
severity: medium
mobileconfig: true
mobileconfig_info:

20
rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml
View File

@@ -4,15 +4,17 @@ discussion: |
Apple Silicon MacBooks should set sleep timeout to 15 minutes (900 seconds) or less and the display sleep timeout should be 10 minutes (600 seconds) or less but less than the sleep setting.
check: |
error_count=0
if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then
sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}')
displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}')
if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 15 ]]; then
((error_count++))
fi
if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 10 ]] || [[ "$displaysleepMode" -gt "$sleepMode" ]]; then
((error_count++))
if /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -q "MacBook"; then
cpuType=$(/usr/sbin/sysctl -n machdep.cpu.brand_string)
if echo "$cpuType" | grep -q "Apple"; then
sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}')
displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}')
if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 15 ]]; then
((error_count++))
fi
if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 10 ]] || [[ "$displaysleepMode" -gt "$sleepMode" ]]; then
((error_count++))
fi
fi
fi
echo "$error_count"

2
rules/os/os_software_update_app_update_enforce.yaml
View File

@@ -28,7 +28,7 @@ references:
- N/A
cis:
benchmark:
- 1.5 (level 1)
- 1.4 (level 1)
controls v8:
- 7.3
- 7.4

6
rules/os/os_software_update_deferral.yaml
View File

@@ -2,6 +2,8 @@ id: os_software_update_deferral
title: Ensure Software Update Deferment Is Less Than or Equal to $ODV Days
discussion: |
Software updates _MUST_ be deferred for $ODV days or less.
If you need to defer software updates, create a Restrictions profile using the com.apple.applicationaccess domain and the key enforcedSoftwareUpdateDelay.
check: |
/usr/bin/osascript -l JavaScript << EOS
function run() {
@@ -49,7 +51,5 @@ odv:
tags:
- cis_lvl1
- cis_lvl2
mobileconfig: true
mobileconfig: false
mobileconfig_info:
com.apple.applicationaccess:
enforcedSoftwareUpdateDelay: $ODV

2
rules/os/os_sshd_fips_compliant.yaml
View File

@@ -23,7 +23,7 @@ result:
fix: |
[source,bash]
----
if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q "Include /etc/ssh/crypto.conf" /etc/ssh/sshd_config.d/100-macos.conf 2>/bin/null; then
if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q "Include /etc/ssh/crypto.conf" /etc/ssh/sshd_config.d/100-macos.conf 2>/dev/null; then
/bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
fi

2
rules/os/os_sshd_per_source_penalties_configure.yaml
View File

@@ -3,7 +3,7 @@ title: Configure SSHD PerSourcePenalties
discussion: |
If SSHD is enabled then it _MUST_ be configured with the Per Source Penalties configured.
Per Source Penalities controls penalties for various conditions that may represent attacks on sshd.
Per Source Penalties controls penalties for various conditions that may represent attacks on sshd.
Penalties are enabled by default.

1
rules/os/os_sudo_timeout_configure.yaml
View File

@@ -11,6 +11,7 @@ fix: |
----
/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' \;
/bin/echo "Defaults timestamp_timeout=$ODV" >> /etc/sudoers.d/mscp
/bin/chmod 440 /etc/sudoers.d/mscp
----
references:
cce:

32
rules/os/os_supported_operating_system.yaml Normal file
View File

@@ -0,0 +1,32 @@
id: os_supported_operating_system
title: The macOS Version Must Be Supported by the Vendor
discussion: |
Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.
Software and systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.
When maintenance updates and patches are no longer available, software is no longer considered supported and should be upgraded or decommissioned.
check: |
The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
fix: |
The technology inherently meets this requirement. No fix is required.
references:
cce:
- CCE-95604-5
cci:
- CCI-003376
800-53r5:
- N/A
800-53r4:
- N/A
disa_stig:
- APPL-26-006000
srg:
- SRG-OS-000830-GPOS-00300
macOS:
- '26.0'
tags:
- inherent
- stig
mobileconfig: false
mobileconfig_info:

2
rules/os/os_unlock_active_user_session_disable.yaml
View File

@@ -7,7 +7,7 @@ discussion: |
NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. A configuration profile will be generated to include the setting that restores the expected behavior. You can also apply the settings using `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`.
WARNING: This rule may cause issues when platformSSO is configured.
WARNING: Do not apply this rule if your organization uses smartcards and Platform Single Sign-On (PSSO).
check: |
RESULT="FAIL"
SS_RULE=$(/usr/bin/security -q authorizationdb read system.login.screensaver 2>&1 | /usr/bin/xmllint --xpath "//dict/key[.='rule']/following-sibling::array[1]/string/text()" -)

2
rules/pwpolicy/pwpolicy_history_enforce.yaml
View File

@@ -3,7 +3,7 @@ title: Prohibit Password Reuse for a Minimum of $ODV Generations
discussion: |
The macOS _MUST_ be configured to enforce a password history of at least $ODV previous passwords when a password is created.
This rule ensures that users are not allowed to re-use a password that was used in any of the $ODV previous password generations.
This rule ensures that users are not allowed to reuse a password that was used in any of the $ODV previous password generations.
Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods.

2
rules/supplemental/supplemental_firewall_pf.yaml
View File

@@ -13,7 +13,7 @@ discussion: |
* The PF firewall can manipulate virtually any packet data and is highly configurable.
** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html
Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset.
Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plist` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset.
The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`.

2
rules/system_settings/system_settings_external_intelligence_sign_in_disable.yaml
View File

@@ -1,7 +1,7 @@
id: system_settings_external_intelligence_sign_in_disable
title: Disable External Intelligence Integration Sign In
discussion: |
The ability to sign into an external intelligence systems _MUST_ be disabled unless approved by the organiztion. Disabling external intelligence integration will mitigate the risk of data being sent to unapproved third party.
The ability to sign into an external intelligence systems _MUST_ be disabled unless approved by the organization. Disabling external intelligence integration will mitigate the risk of data being sent to unapproved third party.
The information system _MUST_ be configured to provide only essential capabilities.
check: |

7
rules/system_settings/system_settings_screensaver_password_enforce.yaml
View File

@@ -31,6 +31,11 @@ references:
- 03.05.01
cmmc:
- AC.L2-3.1.10
cis:
benchmark:
- 2.11.2 (level 1)
controls v8:
- 4.7
macOS:
- '26.0'
tags:
@@ -44,6 +49,8 @@ tags:
- cmmc_lvl2
- stig
- cnssi-1253_moderate
- cis_lvl1
- cis_lvl2
severity: medium
mobileconfig: true
mobileconfig_info:

42
rules/system_settings/system_settings_softwareupdate_current.yaml
View File

@@ -2,11 +2,11 @@ id: system_settings_softwareupdate_current
title: Ensure Software Update is Updated and Current
discussion: |
Make sure Software Update is updated and current.
NOTE: Automatic fix can cause unplanned restarts and may lose work.
link:https://support.apple.com/en-us/108382[Update macOS on Mac] or if enrolled in an MDM consult your MDM's documentation for automated methods.
check: |
softwareupdate_date_epoch=$(/bin/date -j -f "%Y-%m-%d" "$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist LastFullSuccessfulDate | /usr/bin/awk '{print $1}')" "+%s")
thirty_days_epoch=$(/bin/date -v -30d "+%s")
thirty_days_epoch=$(/bin/date -v -$ODV "+%s")
if [[ $softwareupdate_date_epoch -lt $thirty_days_epoch ]]; then
/bin/echo "0"
else
@@ -15,38 +15,50 @@ check: |
result:
integer: 1
fix: |
[source,bash]
----
/usr/sbin/softwareupdate -i -a
----
NOTE - This will apply to the whole system
NOTE: See discussion on how to install software updates.
references:
cce:
- CCE-95405-7
cci:
- N/A
- CCI-002605
800-53r5:
- N/A
800-53r4:
- N/A
- SI-2
srg:
- N/A
- SRG-OS-000439-GPOS-00195
disa_stig:
- N/A
- APPL-26-999999
800-171r3:
- N/A
- 03.14.01
- 03.14.02
cis:
benchmark:
- 1.1 (level 1)
controls v8:
- 7.3
- 7.4
cmmc:
- SI.L1-3.14.1
- SI.L1-3.14.2
- SI.L1-3.14.4
macOS:
- '26.0'
odv:
hint: Maximum Days of Deferral
recommended: 30
cis_lvl1: 30
cis_lvl2: 30
stig: 30
tags:
- cis_lvl1
- cis_lvl2
- cisv8
- stig
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cmmc_lvl2
- cmmc_lvl1
severity: medium
mobileconfig: false
mobileconfig_info:

2
scripts/generate_baseline.py
View File

@@ -515,7 +515,7 @@ def main():
print("No rules found for the keyword provided, please verify from the following list:")
available_tags(all_rules)
else:
_established_benchmarks = ['stig', 'cis_lvl1', 'cis_lvl2']
_established_benchmarks = ['nlmapgov_base', 'nlmapgov_plus', 'stig', 'cis_lvl1', 'cis_lvl2']
if any(bm in args.keyword for bm in _established_benchmarks):
benchmark = args.keyword
else:

105
scripts/generate_guidance.py
View File

@@ -402,7 +402,7 @@ def concatenate_payload_settings(settings):
def generate_profiles(
baseline_name, build_path, parent_dir, baseline_yaml, signing, hash=""
baseline_name, build_path, parent_dir, baseline_yaml, signing, hash="", generate_domain=True, generate_consolidated=True
):
"""Generate the configuration profiles for the rules in the provided baseline YAML file"""
@@ -525,6 +525,15 @@ def generate_profiles(
)
for error in profile_errors:
print(error)
consolidated_profile = PayloadDict(
identifier="consolidated." + baseline_name,
uuid=False,
organization="macOS Security Compliance Project",
displayname=f"{baseline_name} settings",
description=f"Consolidated configuration settings for {baseline_name}."
)
# process the payloads from the yaml file and generate new config profile for each type
for payload, settings in profile_types.items():
if payload.startswith("."):
@@ -572,35 +581,35 @@ def generate_profiles(
if payload == "com.apple.ManagedClient.preferences":
for item in settings:
newProfile.addMCXPayload(item, baseline_name)
consolidated_profile.addMCXPayload(item, baseline_name)
# handle these payloads for array settings
elif (
(payload == "com.apple.applicationaccess.new")
or (payload == "com.apple.systempreferences")
or (payload == "com.apple.SetupAssistant.managed")
):
newProfile.addNewPayload(
payload, concatenate_payload_settings(settings), baseline_name
)
newProfile.addNewPayload(payload, concatenate_payload_settings(settings), baseline_name)
consolidated_profile.addNewPayload(payload, concatenate_payload_settings(settings), baseline_name)
else:
newProfile.addNewPayload(payload, settings, baseline_name)
consolidated_profile.addNewPayload(payload, settings, baseline_name)
if generate_domain:
with open(settings_plist_file_path, "wb") as settings_plist_file:
newProfile.finalizeAndSavePlist(settings_plist_file)
with open(unsigned_mobileconfig_file_path, "wb") as unsigned_mobileconfig_file:
newProfile.finalizeAndSave(unsigned_mobileconfig_file)
if signing:
sign_config_profile(unsigned_mobileconfig_file_path, signed_mobileconfig_file_path, hash)
if generate_consolidated:
consolidated_mobileconfig_file_path = os.path.join(unsigned_mobileconfig_output_path, f"{baseline_name}.mobileconfig")
with open(consolidated_mobileconfig_file_path, "wb") as consolidated_mobileconfig_file:
consolidated_profile.finalizeAndSave(consolidated_mobileconfig_file)
if signing:
unsigned_file_path = os.path.join(unsigned_mobileconfig_file_path)
unsigned_config_file = open(unsigned_file_path, "wb")
newProfile.finalizeAndSave(unsigned_config_file)
settings_config_file = open(settings_plist_file_path, "wb")
newProfile.finalizeAndSavePlist(settings_config_file)
unsigned_config_file.close()
# sign the profiles
sign_config_profile(unsigned_file_path, signed_mobileconfig_file_path, hash)
# delete the unsigned
else:
config_file = open(unsigned_mobileconfig_file_path, "wb")
settings_config_file = open(settings_plist_file_path, "wb")
newProfile.finalizeAndSave(config_file)
newProfile.finalizeAndSavePlist(settings_config_file)
config_file.close()
signed_consolidated_mobileconfig_path = os.path.join(signed_mobileconfig_output_path, f"{baseline_name}.mobileconfig")
sign_config_profile(consolidated_mobileconfig_file_path, signed_consolidated_mobileconfig_path, hash)
print(
f"""
@@ -889,17 +898,16 @@ def default_audit_plist(baseline_name, build_path, baseline_yaml):
plist_output_path, "org." + baseline_name + ".audit.plist"
)
plist_file = open(plist_file_path, "wb")
with open(plist_file_path, "wb") as plist_file:
plist_dict = {}
plist_dict = {}
for sections in baseline_yaml["profile"]:
for profile_rule in sections["rules"]:
if profile_rule.startswith("supplemental"):
continue
plist_dict[profile_rule] = {"exempt": False}
for sections in baseline_yaml["profile"]:
for profile_rule in sections["rules"]:
if profile_rule.startswith("supplemental"):
continue
plist_dict[profile_rule] = {"exempt": False}
plistlib.dump(plist_dict, plist_file)
plistlib.dump(plist_dict, plist_file)
def generate_script(baseline_name, audit_name, build_path, baseline_yaml, reference):
@@ -945,14 +953,6 @@ if [[ $EUID -ne 0 ]]; then
exit 1
fi
ssh_key_check=0
if /usr/sbin/sshd -T &> /dev/null || /usr/sbin/sshd -G &>/dev/null; then
ssh_key_check=0
else
/usr/bin/ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
ssh_key_check=1
fi
# path to PlistBuddy
plb="/usr/libexec/PlistBuddy"
@@ -1514,12 +1514,6 @@ else
read_options
done
fi
if [[ "$ssh_key_check" -ne 0 ]]; then
/bin/rm /etc/ssh/ssh_host_rsa_key
/bin/rm /etc/ssh/ssh_host_rsa_key.pub
ssh_key_check=0
fi
"""
# write out the compliance script
@@ -2065,7 +2059,14 @@ def create_args():
"-p",
"--profiles",
default=None,
help="Generate configuration profiles for the rules.",
help="Generate domain-specific configuration profiles for the rules.",
action="store_true",
)
parser.add_argument(
"-P",
"--consolidated-profile",
default=None,
help="Generate consolidated configuration profile for all rules.",
action="store_true",
)
parser.add_argument(
@@ -2730,10 +2731,20 @@ def main():
else:
audit_name = baseline_name
if args.profiles:
print("Generating configuration profiles...")
if args.profiles or args.consolidated_profile:
# Build message based on what's being generated
messages = []
if args.profiles:
messages.append("domain-specific")
if args.consolidated_profile:
messages.append("consolidated")
print(f"Generating {' and '.join(messages)} configuration profiles...")
# Single call to generate_profiles with both parameters
generate_profiles(
baseline_name, build_path, parent_dir, baseline_yaml, signing, args.hash
baseline_name, build_path, parent_dir, baseline_yaml, signing, args.hash,
generate_domain=args.profiles, generate_consolidated=args.consolidated_profile
)
if args.ddm:

6
scripts/generate_mapping.py
View File

@@ -505,10 +505,10 @@ profile:'''.format(other_header,other_header,version_yaml['os'],version_yaml['ve
try:
if os.path.isdir("../build/" + other_header.lower() + "/baseline/") == False:
os.mkdir("../build/" + other_header.lower() + "/baseline")
if os.path.isdir("../build/baselines/") == False:
os.mkdir("../build/baselines")
with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower().replace(" ","_") + ".yaml",'w') as fw:
with open("../build/baselines/" + other_header.lower().replace(" ","_") + ".yaml",'w') as fw:
fw.write(full_baseline)
print(other_header.lower().replace(" ","_") + ".yaml baseline file created in build/" + other_header + "/baseline/")

4
templates/adoc_additional_docs.adoc
View File

@@ -29,7 +29,7 @@ ASSOCIATED DOCUMENTS
|===
|Document Number or Descriptor
|Document Title
|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R3_STIG.zip[STIG Ver 1, Rel 4]|_Apple macOS 15 (Sequoia) STIG_
|link:https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_26_V1R1_STIG.zip[STIG Ver 1, Rel 1]|_Apple macOS 26 (Tahoe) STIG_
|===
[%header, cols=2*a]
@@ -64,5 +64,5 @@ ASSOCIATED DOCUMENTS
|===
|Document Number or Descriptor
|Document Title
|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 15.0]|_CIS Apple macOS 15.0 Benchmark version 1.1.0_
|link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 26.0]|_CIS Apple macOS 26.0 Benchmark version 1.0.0_
|===